You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Gary Benson <gb...@redhat.com> on 2001/12/21 16:27:09 UTC
[bug] 404 served instead of 401
Hi,
I found a bug whereby Apache 1.3.22 inconsistently handles the interaction
between aliases to non-existant paths and authentication. If the alias is
specified as an absolute path then a 401 is always served, but if the
alias is a relative path then in some cases a 404 will be served.
I don't see this as a security threat -- "an attacker could see that
you are dozy and have specified non-existant paths" doesn't really
instill fear -- but it nevertheless is leaking information which it
probably shouldn't.
To test it for yourselves, take one apache-1.3.22 tarball, configure,
make and make install. I did it in /usr/local/apache, so you'll
probably want to sed the patch if you try it somewhere else.
$ cd /usr/local/apache
$ patch -p0 < httpd.conf.patch # attached
$ mv htdocs/manual .
$ ln -s nowhere htdocs/broken
$ bin/apachectl start
Finally, run test.sh. An annotated version of its output is as
follows:
* Not an alias and not present in the docroot
http://localhost:8080/Xmanual 401
http://localhost:8080/Xmanual/ 401
* Alias to an existing path
http://localhost:8080/0manual 401
http://localhost:8080/0manual/ 401
* Aliases to non-existant relative paths
http://localhost:8080/1manual 401
http://localhost:8080/1manual/ 404 <<<<<<
http://localhost:8080/2manual 404 <<<<<<
http://localhost:8080/2manual/ 404 <<<<<<
http://localhost:8080/3manual 404 <<<<<<
http://localhost:8080/3manual/ 404 <<<<<<
http://localhost:8080/4manual 401
http://localhost:8080/4manual/ 404 <<<<<<
* Aliases to non-existant absolute paths
http://localhost:8080/5manual 401
http://localhost:8080/5manual/ 401
http://localhost:8080/6manual 401
http://localhost:8080/6manual/ 401
http://localhost:8080/7manual 401
http://localhost:8080/7manual/ 401
http://localhost:8080/8manual 401
http://localhost:8080/8manual/ 401
* Aliases to a relative path to a broken symlink
http://localhost:8080/9manual 401
http://localhost:8080/9manual/ 404 <<<<<<
http://localhost:8080/Amanual 404 <<<<<<
http://localhost:8080/Amanual/ 404 <<<<<<
http://localhost:8080/Bmanual 404 <<<<<<
http://localhost:8080/Bmanual/ 404 <<<<<<
http://localhost:8080/Cmanual 401
http://localhost:8080/Cmanual/ 404 <<<<<<
* Aliases to an absolute path to a broken symlink
http://localhost:8080/Dmanual 401
http://localhost:8080/Dmanual/ 401
http://localhost:8080/Emanual 401
http://localhost:8080/Emanual/ 401
http://localhost:8080/Fmanual 401
http://localhost:8080/Fmanual/ 401
http://localhost:8080/Gmanual 401
http://localhost:8080/Gmanual/ 401
I don't know whether you'd prefer it to return a 401 or a 404 (it
follows the alias, but the new path isn't valid, and if the new path
isn't valid then why apply directory stuff to it?) Personally I prefer
returning a 401, but that's not my choice to make. Either way, the
fact that it is inconsistent is not good.
Cheers, and Merry Christmas,
Gary
[ gbenson@redhat.com ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]
Re: [bug] 404 served instead of 401
Posted by "William A. Rowe, Jr." <wr...@covalent.net>.
From: "Gary Benson" <gb...@redhat.com>
Sent: Friday, December 21, 2001 9:27 AM
> I found a bug whereby Apache 1.3.22 inconsistently handles the interaction
> between aliases to non-existant paths and authentication. If the alias is
> specified as an absolute path then a 401 is always served, but if the
> alias is a relative path then in some cases a 404 will be served.
I believe this is most definately a feature. IIRC, this prevents some
phantom requests from autoindex-revealing. At least that's what I remember,
could be wrong.
Re: [bug] 404 served instead of 401
Posted by Gary Benson <gb...@redhat.com>.
On Fri, 21 Dec 2001, Rodent of Unusual Size wrote:
> Gary Benson wrote:
> >
> > I found a bug whereby Apache 1.3.22 inconsistently handles
> > the interaction between aliases to non-existant paths and
> > authentication. If the alias is specified as an absolute
> > path then a 401 is always served, but if the alias is a
> > relative path then in some cases a 404 will be served.
>
> I don't recall that we ever supported, nor even suggested
> that we supported, 'relative' file paths for aliases. To
> what would they be relative?
The docroot, I suppose. But in that case, if we don't support them then
should we not be returning 500s instead of 401s and 404s?
Gary
[ gbenson@redhat.com ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]
Re: [bug] 404 served instead of 401
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Gary Benson wrote:
>
> I found a bug whereby Apache 1.3.22 inconsistently handles
> the interaction between aliases to non-existant paths and
> authentication. If the alias is specified as an absolute
> path then a 401 is always served, but if the alias is a
> relative path then in some cases a 404 will be served.
I don't recall that we ever supported, nor even suggested
that we supported, 'relative' file paths for aliases. To
what would they be relative?
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"